Analysis
-
max time kernel
143s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:46
General
-
Target
Attached is list of our purchase order.exe
-
Size
1018KB
-
MD5
51c0b8ed8fefbc54a2dee932441e60f5
-
SHA1
f1725101ee1c02864a3e829d08d9062d9f05a694
-
SHA256
ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3
-
SHA512
1d596345a1e54f24de8e2b2d086eed00ec822caab7b985abae37df15d300419ef0e0dc81d7154b73c89a2fa74b9fecc4d42f7fb09f56cb0e33e415056baf8804
Malware Config
Extracted
formbook
4.1
3nop
bakecakesandmore.com
shenglisuoye.com
chinapopfactory.com
ynlrhd.com
liqourforyou.com
leonqamil.com
meccafon.com
online-marketing-strategie.biz
rbfxi.com
frseyb.info
leyu91.com
hotsmail.today
beepot.tech
dunaemmetmobility.com
sixpenceworkshop.com
incrediblefavorcoaching.com
pofo.info
yanshudaili.com
yellowbrickwedding.com
paintpartyblueprint.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Attached is list of our purchase order.exe"C:\Users\Admin\AppData\Local\Temp\Attached is list of our purchase order.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\-65A6372\-65logim.jpegFilesize
44KB
MD56c2bb8356a7beaee984971e15c64cfc2
SHA1065cdddf14f0641d0023caac9f34e5c099ad904a
SHA2560aca76e1b8a9e0210a6e1c842e8a3ca63840530a6fecdd22bab7390f7bd99a96
SHA5121f6f8aaaae64ff59ae7066f4f42a907cd8f2b99652cded9d33c9c333760db87144aeb1d30be12949659c217efb2ddc7c1ec32d2e6dfbcdfac143b1bea5e3cf98
-
C:\Users\Admin\AppData\Roaming\-65A6372\-65logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\-65A6372\-65logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\-65A6372\-65logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/1236-68-0x0000000000000000-mapping.dmp
-
memory/1236-73-0x0000000000A60000-0x0000000000AF3000-memory.dmpFilesize
588KB
-
memory/1236-72-0x0000000002110000-0x0000000002413000-memory.dmpFilesize
3.0MB
-
memory/1236-71-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1236-70-0x00000000003C0000-0x00000000003D4000-memory.dmpFilesize
80KB
-
memory/1260-74-0x0000000006FA0000-0x00000000070E8000-memory.dmpFilesize
1.3MB
-
memory/1260-67-0x0000000006E20000-0x0000000006F9A000-memory.dmpFilesize
1.5MB
-
memory/1260-64-0x0000000006200000-0x000000000637D000-memory.dmpFilesize
1.5MB
-
memory/1596-54-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/1596-56-0x0000000010410000-0x000000001043D000-memory.dmpFilesize
180KB
-
memory/1740-66-0x00000000002E0000-0x00000000002F4000-memory.dmpFilesize
80KB
-
memory/1740-63-0x0000000000250000-0x0000000000264000-memory.dmpFilesize
80KB
-
memory/1740-62-0x00000000021E0000-0x00000000024E3000-memory.dmpFilesize
3.0MB
-
memory/1740-61-0x0000000010410000-0x000000001043D000-memory.dmpFilesize
180KB
-
memory/1740-59-0x0000000000000000-mapping.dmp
-
memory/1740-57-0x0000000010410000-0x000000001043D000-memory.dmpFilesize
180KB
